OpenVPN connects, can't get to lan network

burn56

@doktornotor:

@burn56:

Lan IP: 10.1.1.15
VLan IP: 10.1.1.254

I have no idea what's VLAN IP but both of the above obviously overlap with the absolutely obnoxious 10.0.0.0/8 clusterfuck. No wonder it's broken. You really need 16M hosts on your network? Seriously?

VLan is the virtual IP for carp failover for lan.

As for the obnoxious 10.0.0.0/8, from my reading of the documentation, this was supposed to be the range of IPv4 networks that you want accessible from the remote connection.
As I have IPs all along that range, it makes sense to shoot for everything.
I mean, I could be totally wrong and have misread.

These are the IPv4 networks that will be accessible from the remote endpoint. Expressed as a comma-separated list of one or more CIDR ranges. You may leave this blank if you don't want to add a route to the local network through this tunnel on the remote machine. This is generally set to your LAN network.

I mean if I follow the "this is generally set to your LAN network", wouldn't that mean that 10.1.1.254 or 10.1.1.15 should work as well?  Wouldn't that still be an overlap?
Thanks for you input.

Edit:
Reading a bit in the forums, I saw a few people mentioning routing tables, and so I looked there:

Now Em0 is my Lan interface.
But I can't find ANYWHERE where 10.0.0.0/8 is set.  (I'm thinking there may be something to this)
I even took it off my OpenVPN setting to be sure.
Thoughts?

viragomann

The 10.0.0.0/8 hurts me too, but this shouldn't cause the issue. The entry at local networks is only for pushing routes to clients. You may also enter 0.0.0.0/0 there to direct the whole IPv4 range over VPN.

But two other wrong things I've found in your config:

• Your LAN interface is set to 10.1.1.15/32. So the address of the other host isn't in the same subnet, but this is required for CARP.

• Your VPN tunnel network has a public IP range. You should change this to a private range.

burn56

@viragomann:

The 10.0.0.0/8 hurts me too, but this shouldn't cause the issue. The entry at local networks is only for pushing routes to clients. You may also enter 0.0.0.0/0 there to direct the whole IPv4 range over VPN.

But two other wrong things I've found in your config:

• Your LAN interface is set to 10.1.1.15/32. So the address of the other host isn't in the same subnet, but this is required for CARP.

• Your VPN tunnel network has a public IP range. You should change this to a private range.

Your LAN interface is set to 10.1.1.15/32. So the address of the other host isn't in the same subnet, but this is required for CARP.

What do you mean, I seem to be made of bricks today.  So, what I have set is a problem?  Or it's okay?

Your VPN tunnel network has a public IP range. You should change this to a private range.

My tunnel is 172.50.48.0/24, isn't that private?
What would you suggest other than that?  Something that won't bork other settings

Thanks for your help thus far!

doktornotor

@burn56:

My tunnel is 172.50.48.0/24, isn't that private?

No, obviously…

NetRange:       172.32.0.0 - 172.63.255.255
CIDR:           172.32.0.0/11
NetName:        TMO9
NetHandle:      NET-172-32-0-0-1
Parent:         NET172 (NET-172-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS21928
Organization:   T-Mobile USA, Inc. (TMOBI)
RegDate:        2012-09-18
Updated:        2012-09-18
Ref:            http://whois.arin.net/rest/net/NET-172-32-0-0-1

burn56

@doktornotor:

@burn56:

My tunnel is 172.50.48.0/24, isn't that private?

No, obviously…

NetRange:       172.32.0.0 - 172.63.255.255
CIDR:           172.32.0.0/11
NetName:        TMO9
NetHandle:      NET-172-32-0-0-1
Parent:         NET172 (NET-172-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS21928
Organization:   T-Mobile USA, Inc. (TMOBI)
RegDate:        2012-09-18
Updated:        2012-09-18
Ref:            http://whois.arin.net/rest/net/NET-172-32-0-0-1

Ah!
Okay.  Easy change.
172.24.48.0\24 it is.

viragomann

@burn56:

Your LAN interface is set to 10.1.1.15/32. So the address of the other host isn't in the same subnet, but this is required for CARP.

What do you mean, I seem to be made of bricks today.  So, what I have set is a problem?  Or it's okay?

For CARP the interface addresses of master and slave have to be in the same subnet and the interfaces have to be available to communicate together. The CARP VIP is recommended to be in the same subnet as the interfaces addresses.

Your LAN interface (of master, I assume) is set to 10.1.1.15/32. That's just a unique host! You would change the mask to /24 in interface setting.

burn56

@viragomann:

For CARP the interface addresses of master and slave have to be in the same subnet and the interfaces have to be available to communicate together. The CARP VIP is recommended to be in the same subnet as the interfaces addresses.

Your LAN interface (of master, I assume) is set to 10.1.1.15/32. That's just a unique host! You would change the mask to /24 in interface setting.

Ah yeah, I had it to that, and then started trying some other stuff around.
I've changed it back.  (Thanks for that sanity check that I was right the first time!)

Now, my vpn connects, and from the test machine DNS fails to resolve.
I tried providing DNS server list to clients from the client settings in the server config (8.8.8.8, 8.8.4.4) But it still fails.
I then tried to have them route to my DHCP server at 10.10.0.2 and that also fails.

Client logs had this to say:

Wed Dec 09 16:56:32 2015 Set TAP-Windows TUN subnet mode network/local/netmask = 172.24.48.0/172.24.48.2/255.255.255.0 [SUCCEEDED]
Wed Dec 09 16:56:32 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.24.48.2/255.255.255.0 on interface {8E8DE95B-B134-4001-A110-B08D646A4D45} [DHCP-serv: 172.24.48.254, lease-time: 31536000]
Wed Dec 09 16:56:32 2015 Successful ARP Flush on interface [47] {8E8DE95B-B134-4001-A110-B08D646A4D45}
Wed Dec 09 16:56:32 2015 write UDPv4: No Route to Host (WSAEHOSTUNREACH) (code=10065)
Wed Dec 09 16:56:37 2015 Initialization Sequence Completed

Thoughts?

doktornotor

You know, there are well known test tools for DNS. "It fails" is useless description.

viragomann

I guess, your clients default gateway is within the 10.0.0.0/8, which you routes over VPN.

If you want to access WAN hosts like 8.8.8.8 over VPN you have to push the appropriate route or check "redirect gateway" in server config.

burn56

@doktornotor:

You know, there are well known test tools for DNS. "It fails" is useless description.

Thanks.
@viragomann:

I guess, your clients default gateway is within the 10.0.0.0/8, which you routes over VPN.

If you want to access WAN hosts like 8.8.8.8 over VPN you have to push the appropriate route or check "redirect gateway" in server config.

I checked redirect gateway, and I can get to the internet on the test machine, but it still won't let me on the lan.
What would you suggest for a good route to apply?

The end goal is just to get them to be able to access the lan.

viragomann

If you can reach Internet over the VPN you should also be able to access the LAN subnet at server side, as long as firewall rules do not prohibit this.

For routing the LAN net, you only need to push 10.1.1.0/24 to the client (if /24 is your LAN mask).

The pfSense box running the vpn server is the default gateway in its network? If it isn't, you need appropriate routes for the vpn tunnel or do NAT.

Maybe the LAN host you want to access, does not permit access form different subnet, like Windows firewall do by default.

burn56

So I got this working finally.
Turns out, for my DNS servers, I needed to put my DHCP server there.
This allowed the DNS to get resolved.
Thanks for your help folks.